C
ConneqtOS

Privacy Policy

How ConneqtOS collects, uses, and protects your personal data, in plain English and full GDPR compliance.

Last updated:

This Privacy Policy explains how ConneqtOS("we", "us", or "our"), operated by LeadConneqt, processes personal data when you use our work management service at leadconneqt.com, conneqtcrm.com, and any subdomain of those (the "Service").

If you are in the European Economic Area, the UK, or Switzerland, this policy describes your rights under the General Data Protection Regulation (GDPR) and UK GDPR. This policy is intended to satisfy Articles 12–22 of the GDPR. This is a template and should be reviewed by legal counsel before going live.

1. Data controller

For data you provide directly (account, billing, usage) we are the controller. For data you upload as part of using the Service (boards, items, comments, attachments), you are the controller and we act as a processor, see our Data Processing Agreement (DPA) for details.

Controller contact: LeadConneqt, privacy@leadconneqt.com
Data Protection Officer: dpo@leadconneqt.com

2. What data we collect

Account data

  • Name, email, password (hashed with bcrypt, cost 12)
  • Profile preferences (avatar color, workspace name)
  • Invitation tokens (temporary, 7-day expiry)

Content data (you as controller)

  • Boards, groups, items, column values, comments, file attachments you create
  • Team member invites you send

Usage & technical data

  • IP address, browser/device info, timestamps (for audit logs + rate limiting)
  • Session cookie (essential, required to keep you logged in)
  • Audit log of sensitive actions (signup, password change, data export, billing events)

Billing data

  • If you subscribe, Stripe (our payment processor) collects card details directly, we never see your full card number
  • We store a Stripe customer ID, subscription status, and plan details linked to your organization

3. Why we use it (lawful basis under GDPR Art. 6)

PurposeData usedLawful basis
Provide the ServiceAccount + contentContract (Art. 6(1)(b))
Billing & invoicingBilling + accountContract (Art. 6(1)(b))
Transactional emails (signup, invoice, alerts)EmailContract / Legitimate interest
Security, fraud prevention, rate limitingIP, audit logsLegitimate interest (Art. 6(1)(f))
Legal obligations (tax, law enforcement)As requiredLegal obligation (Art. 6(1)(c))
Marketing emails (future)EmailConsent (Art. 6(1)(a)), opt-in only

4. Who we share it with (our subprocessors)

We use carefully chosen third-party services to run the Service. See our subprocessors list for the full current list. Today we use:

  • Railway, hosting & database (EU + US regions)
  • Stripe, payment processing (PCI DSS Level 1)
  • Resend, transactional email delivery
  • Cloudflare, DDoS protection & TLS

All subprocessors are bound by Data Processing Agreements. We only share personal data as necessary to operate the Service.

International transfers: Some subprocessors may process data outside the EEA. We rely on Standard Contractual Clauses (SCCs) for such transfers. Ask us for the SCCs on record for any specific transfer.

5. How long we keep it

  • Account data: until you delete your account, then 30 days in backups before full erasure.
  • Content data: until you delete it or your organization is terminated.
  • Audit logs: 2 years (for security + compliance).
  • Billing records: 7 years (required by tax law in most jurisdictions).
  • Support emails: 2 years after resolution.

6. Your rights under GDPR

You have the right to:

  • Access (Art. 15), get a copy of your data. In-app: Profile → Privacy & Data → Export my data.
  • Rectification (Art. 16), correct inaccurate data. Edit in your profile, or email us.
  • Erasure (Art. 17), have your data deleted. In-app: Profile → Delete my account (7-day grace period).
  • Restrict processing (Art. 18), pause processing. Email DPO.
  • Portability (Art. 20), export in a machine-readable format (JSON/CSV).
  • Object (Art. 21), object to processing based on legitimate interest.
  • Withdraw consent (Art. 7), for anything consent-based, anytime.
  • Lodge a complaint with a supervisory authority. In the UK, that's the ICO (ico.org.uk).

To exercise any right, email dpo@leadconneqt.comwith "GDPR Request" in the subject line. We respond within 30 days.

7. Security

We take security seriously. Technical measures include:

  • Encryption in transit (TLS 1.2+) and at rest (database-level encryption)
  • Passwords stored as bcrypt hashes (cost 12), never in plaintext
  • API keys stored as bcrypt hashes with truncated prefix for identification
  • Multi-tenant isolation enforced at the query layer
  • Automated daily backups with 30-day retention
  • Audit logging of sensitive actions
  • Rate limiting on login, registration, checkout
  • Security headers: HSTS, X-Frame-Options, X-Content-Type-Options

8. Cookies

We use only essential cookies by default (authentication session, cookie consent record). See our Cookie Policyfor details. We do not use advertising or cross-site tracking cookies.

9. Children's data

ConneqtOS is not intended for children under 16. We do not knowingly collect data from anyone under 16. If you believe we have collected data from a child, please email the DPO immediately.

10. Changes to this policy

We will announce material changes by email (to the account owner) and in-app banner at least 30 days before they take effect. The last updated date above reflects the most recent change.

11. Contact

Privacy questions: privacy@leadconneqt.com
GDPR requests: dpo@leadconneqt.com
Security reports: security@leadconneqt.com